HIPAA trumps biometric privacy law in drug cabinet lawsuit
A rare Biometric Information Privacy Act win for the defense has been recorded in the U.S. state of Illinois.
Health care workers in some instances are not protected by BIPA, an Illinois law that requires private organizations to get written consent from people before collecting biometric data and inform them of how it will be managed.
The Illinois Supreme Court unanimously found that no consent is required when a health care worker is required by an employer to submit to a fingerprint scan to access drug cabinets. The defendants were med-tech firm Becton, Dickinson and two Chicago area hospitals that used the company’s cabinets to store restricted substances and medications.
The justices said they were not giving a categorical exclusion to health care workers.
Virtually every other BIPA case has ended in a victory for the plaintiff or settlement.
The plaintiffs in this court case (No. 129081) felt that BIPA creates an exclusion for patient information. But the justices said the “plain language” of the law make it clear that the legislature intended to exclude health care workers as well as patients from protection of their biometric data.
Lawmakers that wrote BIPA created protection exclusions for some classes of biometric data, including data related to the federal Health Insurance Portability and Accountability Act. HIPAA is one of the very few U.S. laws protecting a broad and vital vein of information, a person’s health data.
In rejecting plaintiffs’ challenge, the Supreme Court all but created sentence trees and analyzed verbs to divine politicians’ intent.
Of particular interest was a phrase about what can be excluded: “information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.”